A blog about Cyber Security & Compliance

Month

December 2014

The physical Point-of-Interaction (POI) devices that accept and process credit card transactions can be one of the most vulnerable attack vectors for criminals’ intent on stealing cardholder data. The combination of advancing technologies like 3D printing or near field communication (NFC) with outdated policies and untrained staff allows fraudsters an opportunity for substitution of POIs and insertion of physical skimmers that can result in huge losses of cardholder data.

To combat this, the Payment Card Industry Data Security Standard (PCI-DSS), Version 3.0 introduced a new requirement, found in Section 9.9. This requirement is currently a “best practice” but will become a mandatory requirement for compliance July 1, 2015. It mandates a new set of additional policies, procedures, and training for merchant organizations. Organizations that choose to delay the design, development, and implantation of these new processes until mid-2015 will be at risk of non-compliance with these new requirements.

Like this:

Corporate Data: A Protected Asset or a Ticking Time Bomb? is a Ponemon Institute study sponsored by Varonis, surveying a total of 2,276 employees in US and European organizations (United Kingdom, Germany and France), including 1,110 individuals (hereafter referred to as end users) who work in such areas as sales, finance and accounting, corporate IT, and business operations, and 1,166 individuals who work in IT and IT security (hereafter referred to as IT practitioners).

In the context of this research, both IT practitioners and end users are witnessing a lack of control over their organizations’ data and access to it, and the two groups generally concur that their organizations would overlook security risks before they would sacrifice productivity. Employees are often left with needlessly excessive data access privileges and loose data-sharing policies.

Compounding the risk, organizations are unable to determine what happened to data when it goes missing, indicating a lack of monitoring and further absence of controls.

This presents a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data. Efforts to address these risks will need to overcome employee perceptions, as they believe data protection is not considered a high priority by senior leadership.

Following are research findings that illustrate the growing risks and challenges to productivity that data growth and a lack of internal controls currently present for organizations of all sizes:

End users believe they have access to sensitive data they should not be able to see, and more than half say that access is frequent or very frequent. 71% of end users say that they have access to company data they should not be able to see. 54% characterize that access as frequent or very frequent.

End users believe data protection oversight and controls are weak. 47% of end users say the organization does not strictly enforce its policies against the misuse or unauthorized access to company data and 45% say they are more careful with company data than their supervisors or managers. Furthermore, only 22% of employees say their organization is able to tell them what happened to lost data, files or emails.

IT agrees. Most IT practitioners surveyed state that their companies do not enforce a strict least-privilege (or need-to-know) data policy. Four in five IT practitioners (80%) say their organizations don’t enforce a strict least-privilege data model. 34% say they don’t enforce any least-privilege data model.

End users and IT agree that data growth is hindering productivity more every day. 73% of end users believe the growth of emails, presentations, multimedia files and other types of company data has very significantly or significantly affected their ability to find and access data.

Uncertainty about whether senior executives view data protection as a priority affects. compliance with security policies. Only 22% of end users believe their organizations overall place a very high priority on data protection. About half (51%) of IT practitioners believe their CEO and other C-level executives consider data protection a high priority.

IT practitioners say end users are likely to put critical data at risk. 73% of IT practitioners say their department takes data protection very seriously. However, only 47% believe employees in their company take the necessary steps to make sure confidential data is secure. Thus, IT departments know end user security risks exist but think they are limited in what they can do about it.

End users think it is OK to transfer confidential documents to potentially unsecure devices. 66% of end users say there are times when it is acceptable to transfer work documents to their personal computer, table, smart phone and even the public cloud. Only 13% of IT practitioners agree.

End users and IT practitioners do not think their organization would accept diminished productivity to prevent the risk to critical data. 55% of end users say their company’s efforts to tighten security have a major impact on their productivity. Only 27% of IT practitioners say their organization would accept diminished productivity to prevent the loss or theft of critical data.

End users and IT agree that employees are unknowingly the most likely to be responsible for the leakage of company data. 64% of end users and 59% of IT practitioners believe that insiders are unknowingly the most likely to be the cause of leakage of company data. And only 46% of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

Like this:

Fuelled by cybercrime, cyber warfare, and cyber terrorism, the cost of cybersecurity and risk management will double in 2015. That’s the bad news. The good news is there will be a shift to cyber offense that will begin to stem the tide of cyber threats.

Like this:

Coalfire, the leading independent information technology governance, risk and compliance (IT GRC) firm, today released its top ten cybersecurity predictions for 2015.

“As 2014 ends, it is clear this was the year everything changed in the world of information security,” said Rick Dakin, Coalfire’s CEO and chief security strategist. “As high-profile data breaches were announced one after another, consumers stopped believing companies took protecting their information seriously. It’s time for companies to start looking ahead at the next generation of threats and to step up their game to better protect consumer data. The threat landscape is continuously evolving. If you don’t already have threat intelligence and response plans ready for implementation in 2015, now is the time.”

Coalfire conducts more than 1,000 audit and assessments of systems containing sensitive data each year. Based on the trends in those investigations, Dakin predicts the following for 2015:

Motivated Threat Actors. The number and sophistication of cyber threats will continue to increase exponentially. Fueled by both geopolitics and economic incentives, international (and often state sponsored) criminal organizations will escalate their development of offensive cyber capabilities.

Redefining the Defense. The demands of cybersecurity are fundamentally changing IT. Cyber risk management and security compliance will take an equal weight to other design criteria like functionality, capacity and performance. Financial ROIs will be balanced by a new understanding of risk exposure for sub-par solutions.

Three Heads vs. One. In large organizations, there are technical roles that require the knowledge and experience of CIOs, CTOs and CISOs. While some have predicted the death of the CIO role, we see instead a balancing of responsibility between three peers.

Investments Will Increase. In the face of pernicious new threats, the cost of cybersecurity and risk management will remain on track to double over the next three years.

New Fronts. The expansion of mobility, cloud computing, bring-your -own – device (BYOD) policies, and the Internet of Things will provide new (and previously unforeseen) opportunities for cyber-crime, cyber-warfare, and cyber-terrorism.

Universal Monitoring. As a result of cyber-incidents, every organization (or person) will be using some form of continuous monitoring service (threat, scanning, identity or credit). These will be legislated, mandated by financials institutions or insurers, or acquired on their own behalf.

Business Leadership on Policy Development. Executive leadership will lead to further development and maturation of standards across private sector and governmental organizations. This approach to security and cyber risk management will reduce the potential for “unforeseen” damage from cyber-attacks, cyber warfare and cyberterrorism.

New Threat Detection and Response Technologies. There will be an increased use of crowdsourcing, machine intelligence, and cognitive/advanced analytics to detect and stay ahead of threats. Bounties for catching bad actors and advanced algorithmics will help the “good guys” identify and stay ahead of the hordes of malicious players.

Improved Security. New and better applications of authentication, EMV, encryption and tokenized solutions will increase the security of payments and other personal and confidential information. Apple Pay and other next-generation solutions will overcome anti-NFC inertia and lead to increasing adoption of mobile-based security technologies for both retail payment and other applications, such as healthcare, where critical and confidential information is exchanged.

Back to Offense. We will see the beginnings of a shift from cyber-defense to cyber-offense. From attempting to build impenetrable systems, to building systems that make it possible to identify attackers and provide the means to prosecute, frustrate or delay them.